What Are WordPress Backdoors & How to Clean Them?

WordPress backdoors: After a hacked WordPress site has been cleaned, it’s natural to think that the problem has been taken care of. A lot of you may be relieved and decided to relax, but did you know that many websites experience a return of hack symptoms. Even after cleaning, malicious codes are found hidden throughout the site. What’s going on here? In most cases, there is a backdoor hidden inside your website.

What Are WordPress Backdoors?

Backdoor in a WordPress site is somewhat like a backdoor to your house. But you have no idea that a backdoor to your house exists and that’s not even the worst part. Someone who knows about the backdoor or the person who placed the backdoor there can access your house whenever they want. A backdoor in a WordPress site is the same as a backdoor of your house that you know nothing of. What does it do? It enables hackers to remotely access your website. Backdoor is a type of malware hidden away somewhere on the site. Inefficient cleaners miss these backdoors that enable hackers to enter the website.

Hackers are constantly looking for ways to breach the security of a website. Exploitation of vulnerable plugins is the most popular means of hacking a site. After breaking into the site, one of the first thing that a hacker does is he creates a backdoor. He is aware that when the site owner finds out that his site has been hacked, he’ll clean the site, look for the vulnerability that caused the hack and then weed it out. With a backdoor in place, the hacker will be able to access the site even after the vulnerable plugin has been uninstalled and deleted.

Where Are WordPress Backdoors Hidden?

Backdoors are meant to be difficult to find because the longer the doors remain, the longer the hackers can access the site and carry out their misdeeds. One of the most common types of backdoor is ‘Filesman.’ It can be found on websites built on CMS like WordPress, Joomla, Drupal, Magento, etc. Backdoors are hard to find because they are often disguised as a regular file. To find them one would need a powerful software that can comb through all the files on a WordPress site and distinguish a backdoor from a regular file. There are a few locations where hackers are often known to hide backdoors. We’ll discuss some of those locations below:

Plugins & Themes:

Poorly coded plugins are easy to infiltrate. It enables a hacker to easily insert a backdoor into the plugin which is one reason hackers prefer hiding malicious code in a plugin. Another reason is that many website owners don’t update their plugins and themes regularly. Lack of regular updates allows the codes to survive which enables hackers to access the website.

Sometimes hackers create backdoors that are disguised as a regular plugin. One look at the plugin won’t reveal anything suspicious. Websites owners are suggested to keep a track of the name of the plugins installed on their WordPress website. That way, if they find a plugin they know they haven’t installed, they can simply uninstall and delete the plugin. Backdoors are also found in outdated themes sitting unused in the theme directory. Better get rid of that inactive theme.

The diagram below gives you a general idea of how to identify a backdoor that is disguised like a regular plugin.

There are several shady websites offering popular commercial plugin free of cost. These plugins are deliberately infected with malicious codes. The plugins are manually installed like any other plugin by the admin. Little does the admin know that the plugin has malicious codes that enable hackers to access the site.

WordPress Upload Directory:

Anyone who knows the basic structure of WordPress knows that anything uploaded on the site is stored in the wp-content folder. Plugins go to the Plugin folder, Themes go to the Theme folder, images and all other uploads are stored on the Upload folder. An old website has hundreds of images in the upload folder divided by year and months. It’s easy to store a backdoor in the upload folder among the deluge of media files. Generally, a normal blogger does not open the Upload directory. Therefore, many hackers target this directory to store backdoors.

Besides the Upload directory, there are a number of other files where hackers leave a backdoor. We have seen backdoors in WordPress core folders like wp-admin and wp-includes and other important files like config.php.

Keeping track of all changes made to the WordPress files will help thwart an attempt to place a backdoor in the Upload directory. Plugins like theWP Security Audit Log helps monitor activities on your site so that you can identify suspicious behaviour at an early stage.

How to Clean a Backdoor From a WordPress Site?

Now that we know, what backdoors are and where they are commonly found, we can go ahead and clean the backdoor. Removing malware from your website, and getting rid of hacks is a painstaking process. There are two ways of doing it: one, doing a manual cleanup (by manually looking up the codes and deleting themes and plugins) or two, using a security plugin.

Look For Malicious Codes

During manual cleaning, a good place to start is by looking for base64 and eval codes. Presence of these codes in a file would mean it’s an infected file. But remember eval and base64 codes are also used in plugins and therefore can sometimes be a legit code. If you are not a developer, it’ll be difficult to know if the code is out of place or whether it’s part of a plugin. You can delete all plugins from your site and then look for the codes. Upon finding them, you delete the codes. Later, you’ll have to reinstall the plugins from scratch. Deleting the plugins could modify the look of your website. Following reinstallation of the plugins, you’ll have to redesign your site to make it look like the way it was before you deleted the plugins. As you can imagine, this method requires time, something that a lot of people can’t afford.

Delete Inactive Themes and Plugins

Earlier, we mentioned how hackers target dormant plugins and themes. If you are not using a plugin installed in your site, and there’s no chance of using it in the future, delete them. Removing inactive themes and plugins is a good security practice, regardless of whether there’s a backdoor hidden in them. Eliminating them will eliminate a point of attack.

To purge the wp-config.php file of backdoors, it’s often suggested that you compare a default wp-config.php file with the one present in your website server. But since the wp-config is an extremely important file, we’d suggest you don’t make any changes to it unless you are a programmer and know what you are doing.

Auto Cleaning

Smart hackers will place backdoors in a number of places. Manually finding them can take days or even weeks. Using a security plugin to clean backdoor saves you a lot of time as well as effort.MalCare security plugin detects hidden malware that other security plugins are unable to find and clean them effectively. The security service even has preventive measures in place like the Web Application Firewall that stops hackers from accessing your websites again. And it’s Site Hardening features prevents an unauthorized personnel from making any changes to the website.

The best way to prevent backdoors is by protecting your website from being hacked. Keep your site updated and use a security plugin that helps prevent hackers from breaching your website security.